![Page 1: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/1.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-1
Chapter 16: Information Flow
• Entropy and analysis• Non-lattice information flow policies• Compiler-based mechanisms• Execution-based mechanisms• Examples
![Page 2: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/2.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-2
Overview
• Basics and background– Entropy
• Nonlattice flow policies• Compiler-based mechanisms• Execution-based mechanisms• Examples
– Security Pipeline Interface– Secure Network Server Mail Guard
![Page 3: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/3.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-3
Basics
• Bell-LaPadula Model embodiesinformation flow policy– Given compartments A, B, info can flow from
A to B iff B dom A• Variables x, y assigned compartments x, y
as well as values– If x = A and y = B, and A dom B, then y := x
allowed but not x := y
![Page 4: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/4.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-4
Entropy and Information Flow
• Idea: info flows from x to y as a result of asequence of commands c if you can deduceinformation about x before c from the valuein y after c
• Formally:– s time before execution of c, t time after– H(xs | yt) < H(xs | ys)– If no y at time s, then H(xs | yt) < H(xs)
![Page 5: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/5.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-5
Example 1
• Command is x := y + z; where:– 0 ≤ y ≤ 7, equal probability– z = 1 with prob. 1/2, z = 2 or 3 with prob. 1/4 each
• s state before command executed; t, after; so– H(ys) = H(yt) = –8(1/8) lg (1/8) = 3– H(zs) = H(zt) = –(1/2) lg (1/2) –2(1/4) lg (1/4) = 1.5
• If you know xt, ys can have at most 3 values, soH(ys | xt) = –3(1/3) lg (1/3) = lg 3
![Page 6: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/6.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-6
Example 2
• Command is– if x = 1 then y := 0 else y := 1;
where:– x, y equally likely to be either 0 or 1
• H(xs) = 1 as x can be either 0 or 1 with equalprobability
• H(xs | yt) = 0 as if yt = 1 then xs = 0 and vice versa– Thus, H(xs | yt) = 0 < 1 = H(xs)
• So information flowed from x to y
![Page 7: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/7.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-7
Implicit Flow of Information
• Information flows from x to y without anexplicit assignment of the form y := f(x)– f(x) an arithmetic expression with variable x
• Example from previous slide:– if x = 1 then y := 0else y := 1;
• So must look for implicit flows ofinformation to analyze program
![Page 8: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/8.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-8
Notation
• x means class of x– In Bell-LaPadula based system, same as “label
of security compartment to which x belongs”• x ≤ y means “information can flow from an
element in class of x to an element in classof y– Or, “information with a label placing it in class
x can flow into class y”
![Page 9: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/9.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-9
Information Flow Policies
Information flow policies are usually:• reflexive
– So information can flow freely amongmembers of a single class
• transitive– So if information can flow from class 1 to class
2, and from class 2 to class 3, then informationcan flow from class 1 to class 3
![Page 10: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/10.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-10
Non-Transitive Policies
• Betty is a confident of Anne• Cathy is a confident of Betty
– With transitivity, information flows from Anneto Betty to Cathy
• Anne confides to Betty she is having anaffair with Cathy’s spouse– Transitivity undesirable in this case, probably
![Page 11: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/11.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-11
Non-Lattice Transitive Policies
• 2 faculty members co-PIs on a grant– Equal authority; neither can overrule the other
• Grad students report to faculty members• Undergrads report to grad students• Information flow relation is:
– Reflexive and transitive• But some elements (people) have no “least upper
bound” element– What is it for the faculty members?
![Page 12: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/12.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-12
Confidentiality Policy Model
• Lattice model fails in previous 2 cases• Generalize: policy I = (SCI, ≤I, joinI):
– SCI set of security classes– ≤I ordering relation on elements of SCI– joinI function to combine two elements of SCI
• Example: Bell-LaPadula Model– SCI set of security compartments– ≤I ordering relation dom– joinI function lub
![Page 13: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/13.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-13
Confinement Flow Model
• (I, O, confine, →)– I = (SCI, ≤I, joinI)– O set of entities– →: O×O with (a, b) ∈ → (written a → b) iff
information can flow from a to b– for a ∈ O, confine(a) = (aL, aU) ∈ SCI×SCI with aL ≤I aU
• Interpretation: for a ∈ O, if x ≤I aU, info can flow from x to a,and if aL ≤I x, info can flow from a to x
• So aL lowest classification of info allowed to flow out of a,and aU highest classification of info allowed to flow into a
![Page 14: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/14.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-14
Assumptions, etc.
• Assumes: object can change security classes– So, variable can take on security class of its
data• Object x has security class x currently• Note transitivity not required• If information can flow from a to b, then b
dominates a under ordering of policy I:(∀ a, b ∈ O)[ a → b ⇒ aL ≤I bU ]
![Page 15: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/15.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-15
Example 1
• SCI = { U, C, S, TS }, with U ≤I C, C ≤I S, and S≤I TS
• a, b, c ∈ O– confine(a) = [ C, C ]– confine(b) = [ S, S ]– confine(c) = [ TS, TS ]
• Secure information flows: a → b, a → c, b → c– As aL ≤I bU, aL ≤I cU, bL ≤I cU– Transitivity holds
![Page 16: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/16.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-16
Example 2
• SCI, ≤I as in Example 1• x, y, z ∈ O
– confine(x) = [ C, C ]– confine(y) = [ S, S ]– confine(z) = [ C, TS ]
• Secure information flows: x → y, x → z, y → z, z→ x, z → y– As xL ≤I yU, xL ≤I zU, yL ≤I zU, zL ≤I xU, zL ≤I yU– Transitivity does not hold
• y → z and z → x, but y → z is false, because yL ≤I xU is false
![Page 17: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/17.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-17
Transitive Non-Lattice Policies
• Q = (SQ, ≤Q) is a quasi-ordered set when ≤Qis transitive and reflexive over SQ
• How to handle information flow?– Define a partially ordered set containing quasi-
ordered set– Add least upper bound, greatest lower bound to
partially ordered set– It’s a lattice, so apply lattice rules!
![Page 18: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/18.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-18
In Detail …• ∀x ∈ SQ: let f(x) = { y | y ∈ SQ ∧ y ≤Q x }
– Define SQP = { f(x) | x ∈ SQ }– Define ≤QP = { (x, y) | x, y ∈ SQ ∧ x ⊆ y }
• SQP partially ordered set under ≤QP• f preserves order, so y ≤Q x iff f(x) ≤QP f(y)
• Add upper, lower bounds– SQP′ = SQP ∪ { SQ, ∅ }– Upper bound ub(x, y) = { z | z ∈ SQP ∧ x ⊆ z ∧ y ⊆ z }– Least upper bound lub(x, y) = ∩ub(x, y)
• Lower bound, greatest lower bound defined analogously
![Page 19: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/19.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-19
And the Policy Is …
• Now (SQP′, ≤QP) is lattice• Information flow policy on quasi-ordered
set emulates that of this lattice!
![Page 20: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/20.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-20
Nontransitive Flow Policies
• Government agency information flowpolicy (on next slide)
• Entities public relations officers PRO,analysts A, spymasters S– confine(PRO) = { public, analysis }– confine(A) = { analysis, top-level }– confine(S) = { covert, top-level }
![Page 21: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/21.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-21
Information Flow
• By confinement flowmodel:– PRO ≤ A, A ≤ PRO– PRO ≤ S– A ≤ S, S ≤ A
• Data cannot flow topublic relationsofficers; not transitive– S ≤ A, A ≤ PRO– S ≤ PRO is false
top-level
analysis covert
public
![Page 22: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/22.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-22
Transforming Into Lattice
• Rough idea: apply a special mapping to generatea subset of the power set of the set of classes– Done so this set is partially ordered– Means it can be transformed into a lattice
• Can show this mapping preserves orderingrelation– So it preserves non-orderings and non-transitivity of
elements corresponding to those of original set
![Page 23: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/23.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-23
Dual Mapping
• R = (SCR, ≤R, joinR) reflexive info flow policy• P = (SP, ≤P) ordered set
– Define dual mapping functions lR, hR: SCR→SP• lR(x) = { x }• hR(x) = { y | y ∈ SCR ∧ y ≤R x }
– SP contains subsets of SCR; ≤P subset relation– Dual mapping function order preserving iff
(∀a, b ∈ SCR )[ a ≤R b ⇔ lR(a) ≤P hR(b) ]
![Page 24: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/24.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-24
Theorem
Dual mapping from reflexive info flow policyR to ordered set P order-preservingProof sketch: all notation as before(⇒) Let a ≤R b. Then a ∈ lR(a), a ∈ hR(b), solR(a) ⊆ hR(b), or lR(a) ≤P hR(b)(⇐) Let lR(a) ≤P hR(b). Then lR(a) ⊆ hR(b).But lR(a) = { a }, so a ∈ hR(b), giving a ≤R b
![Page 25: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/25.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-25
Info Flow Requirements
• Interpretation: let confine(x) = { xL, xU },consider class y– Information can flow from x to element of y iff
xL ≤R y, or lR(xL) ⊆ hR(y)– Information can flow from element of y to x iff
y ≤R xU, or lR(y) ⊆ hR(xU)
![Page 26: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/26.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-26
Revisit Government Example
• Information flow policy is R• Flow relationships among classes are:
public ≤R publicpublic ≤R analysis analysis ≤R analysispublic ≤R covert covert ≤R covertpublic ≤R top-level covert ≤R top-levelanalysis ≤R top-level top-level ≤R top-level
![Page 27: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/27.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-27
Dual Mapping of R
• Elements lR, hR:lR(public) = { public }hR(public = { public }lR(analysis) = { analysis }hR(analysis) = { public, analysis }lR(covert) = { covert }hR(covert) = { public, covert }lR(top-level) = { top-level }hR(top-level) = { public, analysis, covert, top-level }
![Page 28: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/28.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-28
confine
• Let p be entity of type PRO, a of type A, sof type S
• In terms of P (not R), we get:– confine(p) = [ { public }, { public, analysis } ]– confine(a) = [ { analysis },
{ public, analysis, covert, top-level } ]– confine(s) = [ { covert },
{ public, analysis, covert, top-level } ]
![Page 29: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/29.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-29
And the Flow Relations Are …
• p → a as lR(p) ⊆ hR(a)– lR(p) = { public }– hR(a) = { public, analysis, covert, top-level }
• Similarly: a → p, p → s, a → s, s → a• But s → p is false as lR(s) ⊄ hR(p)
– lR(s) = { covert }– hR(p) = { public, analysis }
![Page 30: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/30.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-30
Analysis
• (SP, ≤P) is a lattice, so it can be analyzedlike a lattice policy
• Dual mapping preserves ordering, hencenon-ordering and non-transitivity, oforiginal policy– So results of analysis of (SP, ≤P) can be
mapped back into (SCR, ≤R, joinR)
![Page 31: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/31.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-31
Compiler-Based Mechanisms
• Detect unauthorized information flows in aprogram during compilation
• Analysis not precise, but secure– If a flow could violate policy (but may not), it is
unauthorized– No unauthorized path along which information could
flow remains undetected• Set of statements certified with respect to
information flow policy if flows in set ofstatements do not violate that policy
![Page 32: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/32.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-32
Example
if x = 1 then y := a;else y := b;• Info flows from x and a to y, or from x and
b to y• Certified only if x ≤ y and a ≤ y and b ≤ y
– Note flows for both branches must be trueunless compiler can determine that one branchwill never be taken
![Page 33: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/33.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-33
Declarations
• Notation:x: int class { A, B }
means x is an integer variable with securityclass at least lub{ A, B }, so lub{ A, B } ≤ x
• Distinguished classes Low, High– Constants are always Low
![Page 34: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/34.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-34
Input Parameters
• Parameters through which data passed intoprocedure
• Class of parameter is class of actualargument
ip: type class { ip }
![Page 35: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/35.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-35
Output Parameters
• Parameters through which data passed out ofprocedure– If data passed in, called input/output parameter
• As information can flow from input parameters tooutput parameters, class must include this:
op: type class { r1, …, rn }where ri is class of ith input or input/outputargument
![Page 36: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/36.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-36
Example
proc sum(x: int class { A };var out: int class { A, B });
beginout := out + x;
end;• Require x ≤ out and out ≤ out
![Page 37: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/37.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-37
Array Elements
• Information flowing out:… := a[i]
Value of i, a[i] both affect result, so class islub{ a[i], i }
• Information flowing in:a[i] := …
• Only value of a[i] affected, so class is a[i]
![Page 38: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/38.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-38
Assignment Statements
x := y + z;• Information flows from y, z to x, so this
requires lub{ y, z } ≤ xMore generally:y := f(x1, …, xn)
• the relation lub{ x1, …, xn } ≤ y must hold
![Page 39: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/39.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-39
Compound Statements
x := y + z; a := b * c – x;• First statement: lub{ y, z } ≤ x• Second statement: lub{ b, c, x } ≤ a• So, both must hold (i.e., be secure)More generally:S1; … Sn;
• Each individual Si must be secure
![Page 40: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/40.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-40
Conditional Statementsif x + y < z then a := b else d := b * c – x; end
• The statement executed reveals information aboutx, y, z, so lub{ x, y, z } ≤ glb{ a, d }
More generally:if f(x1, …, xn) then S1 else S2; end• S1, S2 must be secure• lub{ x1, …, xn } ≤ glb{y | y target of assignment in S1, S2 }
![Page 41: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/41.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-41
Iterative Statementswhile i < n do begin a[i] := b[i]; i := i + 1;
end
• Same ideas as for “if”, but must terminateMore generally:while f(x1, …, xn) do S;• Loop must terminate;• S must be secure• lub{ x1, …, xn } ≤ glb{y | y target of assignment in S }
![Page 42: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/42.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-42
Iterative Statementswhile i < n do begin a[i] := b[i]; i := i + 1; end
• Same ideas as for “if”, but must terminateMore generally:while f(x1, …, xn) do S;• Loop must terminate;• S must be secure• lub{ x1, …, xn } ≤ glb{y | y target of assignment in S }
![Page 43: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/43.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-43
Goto Statements
• No assignments– Hence no explicit flows
• Need to detect implicit flows• Basic block is sequence of statements that
have one entry point and one exit point– Control in block always flows from entry point
to exit point
![Page 44: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/44.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-44
Example Programproc tm(x: array[1..10][1..10] of int class {x}; var y: array[1..10][1..10] of int class {y});var i, j: int {i};beginb1 i := 1;b2 L2: if i > 10 goto L7;b3 j := 1;b4 L4: if j > 10 then goto L6;b5 y[j][i] := x[i][j]; j := j + 1; goto L4;b6 L6: i := i + 1; goto L2;b7 L7:end;
![Page 45: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/45.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-45
Flow of Control
b1 b2 b7
b6b3
b4
b5
i > n
i ≤ n
j > n
j ≤ n
![Page 46: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/46.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-46
IFDs
• Idea: when two paths out of basic block, implicitflow occurs– Because information says which path to take
• When paths converge, either:– Implicit flow becomes irrelevant; or– Implicit flow becomes explicit
• Immediate forward dominator of basic block b(written IFD(b)) is first basic block lying on allpaths of execution passing through b
![Page 47: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/47.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-47
IFD Example
• In previous procedure:– IFD(b1) = b2 one path– IFD(b2) = b7 b2→b7 or b2→b3→b6→b2→b7
– IFD(b3) = b4 one path– IFD(b4) = b6 b4→b6 or b4→b5→b6
– IFD(b5) = b4 one path– IFD(b6) = b2 one path
![Page 48: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/48.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-48
Requirements
• Bi is set of basic blocks along an execution pathfrom bi to IFD(bi)– Analogous to statements in conditional statement
• xi1, …, xin variables in expression selecting whichexecution path containing basic blocks in Bi used– Analogous to conditional expression
• Requirements for secure:– All statements in each basic blocks are secure– lub{ xi1, …, xin } ≤ glb{ y | y target of assignment in Bi }
![Page 49: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/49.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-49
Example of Requirements
• Within each basic block:b1: Low ≤ i b3: Low ≤ j b6: lub{ Low, i } ≤ ib5: lub{ x[i][j], i, j } ≤ y[j][i] }; lub{ Low, j } ≤ j– Combining, lub{ x[i][j], i, j } ≤ y[j][i] }– From declarations, true when lub{ x, i } ≤ y
• B2 = {b3, b4, b5, b6}– Assignments to i, j, y[j][i]; conditional is i ≤ 10– Requires i ≤ glb{ i, j, y[j][i] }– From declarations, true when i ≤ y
![Page 50: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/50.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-50
Example (continued)
• B4 = { b5 }– Assignments to j, y[j][i]; conditional is j ≤ 10– Requires j ≤ glb{ j, y[j][i] }– From declarations, means i ≤ y
• Result:– Combine lub{ x, i } ≤ y; i ≤ y; i ≤ y– Requirement is lub{ x, i } ≤ y
![Page 51: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/51.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-51
Procedure Callstm(a, b);From previous slides, to be secure, lub{ x, i } ≤ y must hold• In call, x corresponds to a, y to b• Means that lub{ a, i } ≤ b, or a ≤ bMore generally:proc pn(i1, …, im: int; var o1, …, on: int)begin S end;• S must be secure• For all j and k, if ij ≤ ok, then xj ≤ yk• For all j and k, if oj ≤ ok, then yj ≤ yk
![Page 52: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/52.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-52
Exceptionsproc copy(x: int class { x }; var y: int class Low)var sum: int class { x }; z: int class Low;begin y := z := sum := 0; while z = 0 do begin sum := sum + x; y := y + 1; endend
![Page 53: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/53.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-53
Exceptions (cont)
• When sum overflows, integer overflow trap– Procedure exits– Value of x is MAXINT/y– Info flows from y to x, but x ≤ y never checked
• Need to handle exceptions explicitly– Idea: on integer overflow, terminate loopon integer_overflow_exception sum do z := 1;
– Now info flows from sum to z, meaning sum ≤ z– This is false (sum = { x } dominates z = Low)
![Page 54: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/54.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-54
Infinite Loopsproc copy(x: int 0..1 class { x }; var y: int 0..1 class Low)begin y := 0; while x = 0 do (* nothing *); y := 1;end• If x = 0 initially, infinite loop• If x = 1 initially, terminates with y set to 1• No explicit flows, but implicit flow from x to y
![Page 55: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/55.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-55
Semaphores
Use these constructs:wait(x): if x = 0 then block until x > 0; x := x – 1;signal(x): x := x + 1;
– x is semaphore, a shared variable– Both executed atomically
Consider statementwait(sem); x := x + 1;
• Implicit flow from sem to x– Certification must take this into account!
![Page 56: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/56.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-56
Flow Requirements
• Semaphores in signal irrelevant– Don’t affect information flow in that process
• Statement S is a wait– shared(S): set of shared variables read
• Idea: information flows out of variables in shared(S)– fglb(S): glb of assignment targets following S– So, requirement is shared(S) ≤ fglb(S)
• begin S1; … Sn end– All Si must be secure– For all i, shared(Si) ≤ fglb(Si)
![Page 57: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/57.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-57
Examplebegin x := y + z; (* S1 *) wait(sem); (* S2 *) a := b * c – x; (* S3 *)end• Requirements:
– lub{ y, z } ≤ x– lub{ b, c, x } ≤ a– sem ≤ a
• Because fglb(S2) = a and shared(S2) = sem
![Page 58: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/58.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-58
Concurrent Loops
• Similar, but wait in loop affects all statements inloop– Because if flow of control loops, statements in loop
before wait may be executed after wait• Requirements
– Loop terminates– All statements S1, …, Sn in loop secure– lub{ shared(S1), …, shared(Sn) } ≤ glb(t1, …, tm)
• Where t1, …, tm are variables assigned to in loop
![Page 59: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/59.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-59
Loop Examplewhile i < n do begin a[i] := item; (* S1 *) wait(sem); (* S2 *) i := i + 1; (* S3 *)end• Conditions for this to be secure:
– Loop terminates, so this condition met– S1 secure if lub{ i, item } ≤ a[i]– S2 secure if sem ≤ i and sem ≤ a[i]– S3 trivially secure
![Page 60: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/60.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-60
cobegin/coendcobegin x := y + z; (* S1 *) a := b * c – y; (* S2 *)coend
• No information flow among statements– For S1, lub{ y, z } ≤ x– For S2, lub{ b, c, y } ≤ a
• Security requirement is both must hold– So this is secure if lub{ y, z } ≤ x ∧ lub{ b, c, y } ≤ a
![Page 61: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/61.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-61
Soundness
• Above exposition intuitive• Can be made rigorous:
– Express flows as types– Equate certification to correct use of types– Checking for valid information flows same as
checking types conform to semantics imposedby security policy
![Page 62: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/62.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-62
Execution-Based Mechanisms
• Detect and stop flows of information that violatepolicy– Done at run time, not compile time
• Obvious approach: check explicit flows– Problem: assume for security, x ≤ y
if x = 1 then y := a;– When x ≠ 1, x = High, y = Low, a = Low, appears
okay—but implicit flow violates condition!
![Page 63: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/63.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-63
Fenton’s Data Mark Machine
• Each variable has an associated class• Program counter (PC) has one too• Idea: branches are assignments to PC, so
you can treat implicit flows as explicit flows• Stack-based machine, so everything done
in terms of pushing onto and popping froma program stack
![Page 64: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/64.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-64
Instruction Description
• skip means instruction not executed• push(x, x) means push variable x and its
security class x onto program stack• pop(x, x) means pop top value and security
class from program stack, assign them tovariable x and its security class xrespectively
![Page 65: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/65.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-65
Instructions
• x := x + 1 (increment)– Same as:if PC ≤ x then x := x + 1 else skip
• if x = 0 then goto n else x := x – 1 (branchand save PC on stack)– Same as:if x = 0 then beginpush(PC, PC); PC := lub{PC, x}; PC := n;
end else if PC ≤ x thenx := x - 1
elseskip;
![Page 66: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/66.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-66
More Instructions
• if’ x = 0 then goto n else x := x – 1(branch without saving PC on stack)– Same as:if x = 0 thenif x ≤ PC then PC := n else skipelseif PC ≤ x then x := x – 1 else skip
![Page 67: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/67.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-67
More Instructions
• return (go to just after last if)– Same as:pop(PC, PC);
• halt (stop)– Same as:if program stack empty then halt
– Note stack empty to prevent user obtaining informationfrom it after halting
![Page 68: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/68.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-68
Example Program1 if x = 0 then goto 4 else x := x – 12 if z = 0 then goto 6 else z := z – 13 halt4 z := z – 15 return6 y := y – 17 return• Initially x = 0 or x = 1, y = 0, z = 0• Program copies value of x to y
![Page 69: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/69.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-69
Example Executionx y z PC PC stack check1 0 0 1 Low —0 0 0 2 Low — Low ≤ x0 0 0 6 z (3, Low)0 1 0 7 z (3, Low) PC ≤ y0 1 0 3 Low —
![Page 70: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/70.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-70
Handling Errors
• Ignore statement that causes error, butcontinue execution– If aborted or a visible exception taken, user
could deduce information– Means errors cannot be reported unless user
has clearance at least equal to that of theinformation causing the error
![Page 71: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/71.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-71
Variable Classes
• Up to now, classes fixed– Check relationships on assignment, etc.
• Consider variable classes– Fenton’s Data Mark Machine does this for PC– On assignment of form y := f(x1, …, xn), y
changed to lub{ x1, …, xn }– Need to consider implicit flows, also
![Page 72: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/72.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-72
Example Program(* Copy value from x to y * Initially, x is 0 or 1 *)proc copy(x: int class { x };
var y: int class { y })var z: int class variable { Low };begin
y := 0;z := 0;if x = 0 then z := 1;if z = 0 then y := 1;
end;
• z changes when z assigned to• Assume y < x
![Page 73: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/73.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-73
Analysis of Example
• x = 0– z := 0 sets z to Low– if x = 0 then z := 1 sets z to 1 and z to x– So on exit, y = 0
• x = 1– z := 0 sets z to Low– if z = 0 then y := 1 sets y to 1 and checks that
lub{Low, z} ≤ y– So on exit, y = 1
• Information flowed from x to y even though y < x
![Page 74: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/74.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-74
Handling This (1)
• Fenton’s Data Mark Machine detectsimplicit flows violating certification rules
![Page 75: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/75.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-75
Handling This (2)
• Raise class of variables assigned to inconditionals even when branch not taken
• Also, verify information flow requirements evenwhen branch not taken
• Example:– In if x = 0 then z := 1, z raised to x whether or
not x = 0– Certification check in next statement, that z ≤ y, fails,
as z = x from previous statement, and y ≤ x
![Page 76: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/76.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-76
Handling This (3)
• Change classes only when explicit flows occur,but all flows (implicit as well as explicit) forcecertification checks
• Example– When x = 0, first “if” sets z to Low then checks x ≤ z– When x = 1, first “if” checks that x ≤ z– This holds if and only if x = Low
• Not possible as y < x = Low and there is no such class
![Page 77: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/77.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-77
Example Information FlowControl Systems
• Use access controls of various types toinhibit information flows
• Security Pipeline Interface– Analyzes data moving from host to destination
• Secure Network Server Mail Guard– Controls flow of data between networks that
have different security classifications
![Page 78: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/78.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-78
Security Pipeline Interface
• SPI analyzes data going to, from host– No access to host main memory– Host has no control over SPI
host
second disk
first diskSPI
![Page 79: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/79.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-79
Use
• Store files on first disk• Store corresponding crypto checksums on second
disk• Host requests file from first disk
– SPI retrieves file, computes crypto checksum– SPI retrieves file’s crypto checksum from second disk– If a match, file is fine and forwarded to host– If discrepency, file is compromised and host notified
• Integrity information flow restricted here– Corrupt file can be seen but will not be trusted
![Page 80: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/80.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-80
Secure Network Server MailGuard (SNSMG)
• Filters analyze outgoing messages– Check authorization of sender– Sanitize message if needed (words and viruses, etc.)
• Uses type checking to enforce this– Incoming, outgoing messages of different type– Only appropriate type can be moved in or out
MTA MTA
out in
filtersSECRETcomputer
UNCLASSIFIEDcomputer
![Page 81: Chapter 16: Information Flow - University of California, Davisnob.cs.ucdavis.edu/book/book-aands/slides/16.pdf · Chapter 16: Information Flow ... information flow policy –Given](https://reader034.vdocuments.mx/reader034/viewer/2022051602/5b0e18627f8b9a952f8e6cd4/html5/thumbnails/81.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #16-81
Key Points
• Both amount of information, direction offlow important– Flows can be explicit or implicit
• Analysis assumes lattice model– Non-lattices can be embedded in lattices
• Compiler-based checks flows at compiletime
• Execution-based checks flows at run time